[00:01.500 --> 00:05.860]  Hey everyone, welcome to my talk, Guerrilla Red Team, Decentralize the Adversary.
[00:06.000 --> 00:08.620]  It's a project I've been working on for the past few months.
[00:08.620 --> 00:12.380]  I decided to write a white paper on it, it's published actually today.
[00:12.780 --> 00:15.660]  And the more and more I worked on the project, the more I realized
[00:15.660 --> 00:20.280]  that it meant a lot to the people that were involved, so I decided to talk about it.
[00:20.280 --> 00:22.240]  So without further ado, let's get in.
[00:23.220 --> 00:27.260]  This is a brief overview of what this talk is going to cover.
[00:27.260 --> 00:30.960]  This is a journey that we're going to take together.
[00:30.960 --> 00:33.600]  It's divided into two parts, Phase 1 and Phase 2.
[00:33.600 --> 00:36.100]  I'm going to walk through Phase 1 first, obviously.
[00:36.220 --> 00:38.900]  Phase 2 is going to come a little bit later when I talk about
[00:39.800 --> 00:42.120]  the so what of the program.
[00:42.240 --> 00:45.460]  The yes, we did this thing, so what.
[00:45.460 --> 00:46.940]  That's going to be Phase 2.
[00:48.540 --> 00:49.980]  So, who am I?
[00:50.340 --> 00:54.200]  My name is Chris Cottrell. I usually go by iSpareFriends.
[00:54.200 --> 00:58.660]  Chances are, if you see a picture of iSpare, it could be me.
[00:58.660 --> 01:02.320]  There's a couple others out there, but iSpareFriends is usually where I go.
[01:02.320 --> 01:07.700]  I'm on Twitter, GitHub, I have a few ScriptKitty things on GitHub and LinkedIn.
[01:08.300 --> 01:10.480]  I'm open, just hit me up.
[01:12.800 --> 01:18.360]  I have been in the Red Team Offensive Security field since 2012.
[01:19.520 --> 01:23.300]  I'm currently leading my own team right now. It's pretty fun.
[01:23.300 --> 01:25.820]  We kind of get nasty around then.
[01:26.600 --> 01:30.260]  I took my OSCP a few years ago, passed that.
[01:30.260 --> 01:34.260]  Fun fact about that test is I actually consumed over a gram of caffeine
[01:34.260 --> 01:37.380]  the whole time I was doing the test and writing the report.
[01:37.780 --> 01:40.200]  That made me very sick later on.
[01:40.200 --> 01:44.160]  And I hope I never have to do that test or anything like it ever again.
[01:45.360 --> 01:50.980]  And I've also started to delve into the cloud security components of everything.
[01:50.980 --> 01:55.880]  Mainly because me personally, I see a lot of security trends going that route.
[01:55.880 --> 01:59.600]  And I want to try to get ahead of that as much as I can.
[01:59.600 --> 02:02.720]  Not only to build my own automated Red Team infrastructure,
[02:02.720 --> 02:06.420]  but just to pen test various things in the cloud.
[02:06.420 --> 02:10.140]  Pretty much if you learn one, you can kind of understand the other three,
[02:11.060 --> 02:12.480]  or the big three.
[02:13.100 --> 02:17.420]  So with my company, we focus on AWS, so that's where I'm starting.
[02:17.420 --> 02:20.520]  Hopefully I'll have my solutions architect soon.
[02:21.920 --> 02:25.720]  Who is this talk for? That is a great question.
[02:26.080 --> 02:32.260]  This talk is aimed at anybody that is trying to get into the Red Team field.
[02:32.280 --> 02:35.720]  Anybody that runs a Red Team and is looking for friends.
[02:35.720 --> 02:43.680]  Or anybody that is looking to expand or do anything out of the box for their Red Team.
[02:43.680 --> 02:48.380]  And I will get into what the out of the box aspects are for the guerrilla portion.
[02:49.120 --> 02:52.380]  But mainly it's for people that are managers.
[02:52.400 --> 02:56.260]  You're looking for somebody, you're looking for friends, you're looking for more people on the Red Team.
[02:56.340 --> 02:59.540]  People that are trying to get into the Red Team, you're looking for a way in.
[02:59.740 --> 03:02.520]  You're in a company, you're in a help desk or something,
[03:02.520 --> 03:05.060]  and you're trying to break into the InfoSec field,
[03:05.060 --> 03:09.860]  or maybe you're trying to get into the OffSec component.
[03:10.520 --> 03:12.100]  And you don't know where to start.
[03:12.100 --> 03:14.940]  This is a program that's going to take you there.
[03:16.360 --> 03:19.100]  So, just some learning expectations.
[03:19.120 --> 03:21.540]  Like I mentioned, we're going to walk through two phases.
[03:22.220 --> 03:25.680]  Phase 1 is going to be all about upscaling the assets.
[03:25.800 --> 03:28.680]  Phase 2 is going to be about unleashing those assets.
[03:28.700 --> 03:32.080]  Together, those things make up the Guerrilla Red Team.
[03:32.080 --> 03:40.000]  However, this project first started under the moniker of the Red Team Development Program.
[03:40.000 --> 03:43.060]  That's originally what it was called. It was only one phase.
[03:43.100 --> 03:47.040]  And it was Red Team Dev Program, RDTP.
[03:47.680 --> 03:49.560]  Why did I make this program?
[03:49.560 --> 03:54.500]  First and foremost, because this was me for about a year and a half.
[03:54.500 --> 04:02.460]  Just lonely, isolated, by myself, trying to make magic happen by doing ops.
[04:02.680 --> 04:07.040]  Our security team is pretty small, so I was the Red Team component.
[04:07.040 --> 04:10.340]  I was setting up my own program, infrastructure, all that stuff.
[04:10.340 --> 04:11.500]  And it was lonely.
[04:12.980 --> 04:17.220]  I wasn't able to interface with a lot of the teams because they were the ones that I was testing.
[04:17.380 --> 04:22.960]  So, at its core, the Red Team Dev Program was there because I was just lonely.
[04:22.960 --> 04:26.900]  And I was either going to build friends, or I was going to go find them.
[04:26.940 --> 04:31.760]  So, since I couldn't really become friends' friends with a lot of the people that I was testing,
[04:31.760 --> 04:33.500]  I decided to just build my own.
[04:33.500 --> 04:35.640]  And that's where the Red Team Dev Program came into place.
[04:37.740 --> 04:40.080]  It turned into something else, though.
[04:40.180 --> 04:42.000]  And I'll get into that a little bit later on in the talk.
[04:42.000 --> 04:45.060]  But it turned into something magical, in my opinion.
[04:45.360 --> 04:50.060]  And not magical for me, but magical for the people involved.
[04:50.280 --> 04:54.640]  And that is why I'm here having this talk right now.
[04:55.560 --> 05:00.060]  So, at its core, the Red Team Dev Program was going to be, like I said, a way for me to make friends.
[05:00.120 --> 05:02.240]  And it was almost like a pyramid scheme.
[05:02.560 --> 05:04.720]  The Red Team was going to be at the top.
[05:04.720 --> 05:09.540]  And me and my partner that are on the Red Team, we were going to be at the top.
[05:09.540 --> 05:14.640]  And we were going to have all these little people that we could talk to and get ideas from
[05:14.640 --> 05:18.060]  and help with idea generation, campaign generation.
[05:18.200 --> 05:22.020]  If we needed assets to test a certain component of the business,
[05:22.020 --> 05:26.360]  we would have those assets kind of spread throughout the organization.
[05:26.820 --> 05:32.860]  So, not really a pyramid scheme, but kind of took on a similar aspect of it.
[05:33.260 --> 05:37.400]  So, I came up with this idea. We were going to post on our cybersecurity channel on our Slack
[05:38.020 --> 05:40.660]  that we were running this Red Team Dev Program.
[05:40.660 --> 05:46.560]  It was a pilot program, and I only posted it in one channel, and I posted it once.
[05:46.900 --> 05:52.300]  And I told everybody you had to fill out this form that had an open-ended question on it.
[05:52.300 --> 05:56.240]  The only question on the form was, tell me about something cool.
[05:56.600 --> 06:01.740]  And the results that we got from that question were super varied.
[06:01.740 --> 06:08.420]  And from those varied results, it was very obvious who was ready for the program and who was not.
[06:08.500 --> 06:13.760]  And we got over a dozen applications, and I would say over half of those didn't even come from this channel.
[06:13.760 --> 06:16.800]  So, there was definitely some word of mouth that happened with it.
[06:20.700 --> 06:23.780]  So, when you click that link, it led to this form.
[06:23.840 --> 06:28.180]  And just like the form I had mentioned, I was trying to dress it up a little bit, make people excited.
[06:28.180 --> 06:33.020]  And it had that one question, just tell me something cool.
[06:33.800 --> 06:39.040]  From that question, we were able to take five applications.
[06:39.040 --> 06:42.680]  We accepted five people with one alternate, in case somebody wasn't there.
[06:43.100 --> 06:46.480]  I created these templates for their managers.
[06:46.840 --> 06:53.120]  And I would go through and I would say, hey, so-and-so was accepted into the program.
[06:53.120 --> 07:00.980]  We were requesting up to four hours of their workday per week to take part in this program.
[07:01.080 --> 07:08.240]  Are you okay with that? If not, then let me know what you are okay with.
[07:08.240 --> 07:13.140]  And I made this sales pitch and everything to go with it, so they kind of get an idea of what the program was.
[07:15.000 --> 07:21.880]  And if their manager is accepted, then I would send this to them and say, hey, guess what? You're part of that cohort.
[07:22.360 --> 07:25.720]  I need you to fill out this pre-fine checklist. I'll get into that in a second.
[07:25.840 --> 07:29.540]  And also, we're going to provide you with some swag.
[07:29.660 --> 07:38.460]  And my thought process on this was I wanted people to join the Red Team Dev program because they wanted to be there.
[07:38.460 --> 07:44.300]  And I wanted them to be excited to be there, because if they're excited, they're going to really put forth a lot of effort.
[07:44.520 --> 07:48.440]  And what that turns into is I get a lot of really good assets later on.
[07:48.860 --> 07:55.540]  So the way that we did this was we paid for a Hackabox VIP subscription for the duration of the program.
[07:55.900 --> 08:02.800]  We paid for three books that they could have, and they could kind of follow along with some extended learning.
[08:03.400 --> 08:06.280]  And this came directly out of the cybersecurity budget.
[08:06.280 --> 08:09.700]  So all they had to do was show up, and we would pay for everything else.
[08:09.700 --> 08:13.880]  And I walked them through how to do this, how to submit expense reports for it and everything.
[08:13.880 --> 08:16.900]  I'm sure it could be streamlined, but that's for the next step.
[08:16.900 --> 08:20.440]  And I also let them take a look at the sales picture that I sent to the manager.
[08:22.360 --> 08:26.300]  And because I like to make it fun and exciting, I went with a Pokemon theme.
[08:26.300 --> 08:28.040]  These are laptop stickers that we have.
[08:28.040 --> 08:31.960]  This is Absol Cohort for Q2 2020.
[08:32.260 --> 08:38.380]  The idea behind this is every cohort would, you know, every quarter, every half, they would get their own Pokemon.
[08:38.460 --> 08:41.480]  And if you do well in the cohort, you get to stay on as a fellow.
[08:41.800 --> 08:45.040]  And the longer you stayed in, you got to collect them all.
[08:45.040 --> 08:46.880]  So you could collect all the Pokemon.
[08:49.120 --> 08:50.400]  I thought it was fun.
[08:51.760 --> 08:57.680]  So now that I got some branding attached to it, we're going to go through and we're going to say,
[08:58.120 --> 09:00.240]  I need you to fill out this pre-fide checklist.
[09:01.640 --> 09:03.200]  This is an example of it.
[09:03.200 --> 09:05.040]  But really, like, here's the meat and potatoes.
[09:05.040 --> 09:08.320]  This is how the students answered this question.
[09:09.860 --> 09:16.060]  And it seemed like most of the people came from the help desk field in this cohort.
[09:16.060 --> 09:21.820]  There was a couple that came from other technical disciplines, but a bulk of them came from help desk.
[09:22.280 --> 09:26.540]  And the comfort was kind of all over the place with what you would expect.
[09:27.980 --> 09:31.040]  One person said that they knew how to do an SMB relay.
[09:31.040 --> 09:40.880]  But most of the time, I try to gauge how they thought they were, like, what their technical skills were.
[09:40.880 --> 09:42.820]  So for example, Windows networking.
[09:43.220 --> 09:46.240]  I mean, to me, watching YouTube is a good way to get started.
[09:46.240 --> 09:47.780]  You at least know what you're trying to watch.
[09:47.780 --> 09:53.420]  But if you can mount a file share, maybe understand SMB a little bit more.
[09:54.680 --> 09:56.200]  Same thing with Linux.
[09:56.200 --> 09:58.660]  Seems like quite a few people knew what SSH was.
[09:58.660 --> 10:02.680]  A couple of them knew how to use SSH with keys, or at least understood what that meant.
[10:03.400 --> 10:07.220]  And just general ideas of what the people wanted to get out of this.
[10:09.080 --> 10:12.520]  For the bulk of it, it was everybody just wanted to learn about red teaming.
[10:12.520 --> 10:16.400]  A couple people wanted to take it a step further and say, like, I want to turn this into a career.
[10:16.640 --> 10:21.500]  I made it very clear that this was not what the program was, but that's fine.
[10:21.500 --> 10:24.880]  And I wanted to teach these students.
[10:24.880 --> 10:33.340]  I wanted to teach them how to fish, not necessarily how to be an operator, but how to get to a point where they know, OK, I have X problem in front of me.
[10:33.340 --> 10:35.280]  I'm going to go with Y solution.
[10:35.380 --> 10:42.780]  Whereas at the start of this program, they may not even know what X problem was or even how to search for Y solution.
[10:42.780 --> 10:50.360]  The program here was to help with them to get to a point where they could ask that question and start doing research on their own.
[10:51.040 --> 10:57.400]  So, like I mentioned, we primarily use Hack the Box for a lot of the practical application portions.
[10:57.580 --> 11:01.520]  And we did that by, you know, providing a VIP subscription.
[11:03.800 --> 11:10.660]  The reason we went in VIP is because some of the lessons that were being taught, we needed the actual walkthroughs.
[11:10.660 --> 11:16.240]  And if you have a VIP subscription, you can, you know, you can download the walkthroughs for retired machines.
[11:16.460 --> 11:21.360]  So it wasn't so much about, you know, getting points and everything, but it was about learning.
[11:21.560 --> 11:25.100]  And the best way to do that is just to say, try it for a few days.
[11:25.100 --> 11:27.980]  And if you can't figure it out, let's talk about it.
[11:27.980 --> 11:33.560]  And then if you still can't figure it out, just download the walkthrough, because I at least want to incorporate some sort of learning.
[11:33.560 --> 11:39.400]  I want to push the whole cohort forward at the same time, not just like one person, onesies, twosies.
[11:39.920 --> 11:42.060]  These are the three books that we picked.
[11:42.780 --> 11:46.460]  Slight caveat warning, my name is actually in the one on the left.
[11:46.460 --> 11:51.060]  I knew what was in the book because I helped do some technical review for it.
[11:51.060 --> 11:54.300]  And I knew that it would be a good resource to have for students later on.
[11:54.820 --> 12:01.600]  Waging Cyber War was there to kind of expose the students to what not just a red team is,
[12:01.600 --> 12:08.460]  but how do you take a red team to the next level of like, for real, not just exercises and wargaming.
[12:08.460 --> 12:16.000]  And then the Red Team Development and Operations book that Joe Vest and James Humberville released just this year, which is super awesome.
[12:16.380 --> 12:19.860]  If you are a red team manager, I highly suggest you read the first half of that book.
[12:19.860 --> 12:23.100]  If you're a red team operator, I highly suggest you read the second half of that book.
[12:23.100 --> 12:26.860]  If you just want to read the whole thing, go for it because it's awesome all the way around.
[12:28.960 --> 12:32.180]  So phase one, red team dev program started.
[12:32.180 --> 12:36.180]  So I had selected all the applications. We selected five people for our cohort.
[12:36.180 --> 12:41.300]  We got buy-in from their managers to come in for four hours a week on Fridays.
[12:41.300 --> 12:46.800]  The whole cohort met together and we would start going to town.
[12:48.620 --> 12:55.600]  So I made the syllabus for the program and it was broken up into two parts.
[12:55.720 --> 13:00.500]  There was the we're going to learn how to do this phase, which was the first five weeks.
[13:00.500 --> 13:05.220]  And then there was the live ops phase, which is the second, like the last four weeks.
[13:05.860 --> 13:10.600]  First five weeks are all going to be broken down into things like, here's Windows, here's Linux,
[13:10.600 --> 13:14.740]  here's how you do a Windows prev ask, here's how you do a Linux prev ask, here's how you do password cracking.
[13:16.400 --> 13:23.220]  And we would meet once a week to discuss those things and go over, you know, learning and everything that we needed.
[13:23.540 --> 13:28.700]  And just trying to impart as much knowledge as we could so that they could go out and try to research this.
[13:31.700 --> 13:38.360]  There was also a we incorporated in addition to the books, we did the podcast, Darknet Diaries.
[13:38.360 --> 13:43.000]  I tried to sync up whatever the lessons that we were trying to teach that week.
[13:43.000 --> 13:48.800]  I tried to sync up a podcast with Darknet Diaries for that. And sometimes they matched up very, very well.
[13:48.800 --> 13:53.120]  Sometimes it was just more of a hey, listen to this episode because it's really good.
[13:55.910 --> 13:58.190]  So this is just a quick breakdown of the syllabus.
[13:58.190 --> 14:06.410]  Week 1, Introduction to Red Teaming. We do Legacy. Week 2, Lame. Week 3 was all about password cracking.
[14:06.410 --> 14:10.630]  Week 4, Windows prev ask, Linux prev ask, LiveOps.
[14:12.490 --> 14:15.410]  So week 1 is Intro to Red Teaming.
[14:15.550 --> 14:24.610]  This week focused heavily on talking about what op notes were and how to take them correctly.
[14:24.610 --> 14:31.170]  And the reason I hark on this was because for me, the op notes are the deliverable that we're required every week.
[14:31.170 --> 14:37.830]  And if I can't read them and if I can't figure out the narrative that the operator is trying to do, then it's essentially useless.
[14:37.830 --> 14:46.770]  Because I need to be able to take those op notes, look at their op notes and do replay the op and do exactly the same thing that they did without ever talking to them.
[14:46.810 --> 14:52.890]  So this was a constant theme throughout the cohort was op notes, op notes, op notes.
[14:52.890 --> 14:57.410]  It needs to be in a certain narrative. It needs to have certain types of information.
[14:57.650 --> 15:02.330]  If I want raw logs, I'll go pull the raw logs myself, but I don't want raw logs.
[15:02.330 --> 15:06.150]  I want to know what you did. So we talked a lot about op notes.
[15:06.750 --> 15:11.890]  Fortunately, most people had an understanding of what Metasploit was and knew how to use it.
[15:11.890 --> 15:18.710]  So we could just get kind of straight to, you know, doing this first box, which is Legacy.
[15:18.710 --> 15:24.910]  I paired that up with the Darknet Diaries episode 57 over MS08067.
[15:25.250 --> 15:30.730]  And this was just a quick blend. This was like, let's see what your op notes look like. Let's see how you think.
[15:30.730 --> 15:33.570]  Let's get an idea of what being on target looks like.
[15:33.990 --> 15:35.870]  All the students completed this.
[15:36.690 --> 15:41.550]  So here's the episode, talked about it, you know, NetAPI.
[15:42.630 --> 15:44.790]  Here's the box. It was an easy box.
[15:44.790 --> 15:49.750]  Almost every boxes, almost all the boxes in this program are easy.
[15:49.770 --> 15:55.670]  And that's not like some are definitely easier than others in the easy category.
[15:57.190 --> 16:00.070]  But keep in mind, this is like we were just trying to do learning.
[16:00.070 --> 16:02.570]  It wasn't we're not trying to be super elite.
[16:02.570 --> 16:07.110]  We're trying to get these people to a certain level so that they can do things on their own.
[16:07.690 --> 16:12.250]  For this one, it was super easy. CBE. I think everybody got it pretty quickly.
[16:12.990 --> 16:16.690]  Week 2 was the other OS. I started talking about Linux here.
[16:16.990 --> 16:25.730]  And I paired that with just a podcast where you could get an idea of what some professional penetration testers would do.
[16:26.290 --> 16:28.610]  LAME was the box that we chose.
[16:28.910 --> 16:36.250]  And at this point, I started trying to profile and categorize everything so that the students weren't so lost all the time.
[16:36.250 --> 16:41.050]  So it was a Linux OS. I thought you probably have to use Nmap and Metasploit.
[16:41.350 --> 16:44.810]  And if they completed it, I was like, here's another box you can try.
[16:44.810 --> 16:52.250]  But like nobody did it. So as I built the syllabus, I was definitely overzealous in trying to make things.
[16:52.910 --> 17:00.390]  I could have focused on, you know, providing more learning links and less on, hey, if you actually complete this, why don't you try this super hard box.
[17:01.690 --> 17:07.910]  Just visiting, physical penetration test. LAME, again, pretty easy box.
[17:08.450 --> 17:11.410]  Most of the ones that I chose are pretty CVE heavy.
[17:11.730 --> 17:16.750]  And everybody completed this. We still were kind of harping on off limits a little bit.
[17:16.750 --> 17:20.290]  Some people were doing very well. Some people still needed some course corrections.
[17:20.850 --> 17:24.490]  It was super interesting to see this like template that I made.
[17:24.490 --> 17:32.790]  And I tried to show everybody like some students would go one way with it and some would go completely another way with how they structured their off notes.
[17:32.790 --> 17:36.570]  They were still giving me the information I wanted, but it made sense to them from their perspective.
[17:36.570 --> 17:45.670]  And it was really interesting to see how they how they chose to start capturing all this information, how their brains started making sense of everything.
[17:45.670 --> 17:51.650]  They were trying to make sense of it themselves, but they were also trying to make sure that I was happy with them.
[17:53.730 --> 17:59.210]  Week three, I decided, hey, let's do password cracking because you're going to get on a box.
[17:59.210 --> 18:02.850]  You're going to like they're not all going to be net APIs or immediately get system.
[18:02.850 --> 18:06.690]  So you're probably going to have to like crack some creds every now and then.
[18:07.250 --> 18:12.130]  And this this week is where things started to get interesting.
[18:12.130 --> 18:19.550]  So those are learning links at the bottom. Those were not there when I originally made the syllabus.
[18:19.950 --> 18:27.410]  As the week went on and people I started talking to everybody throughout the week because, you know, the other day we were me on Fridays.
[18:27.410 --> 18:30.130]  But we would also like talk throughout the week as well.
[18:31.610 --> 18:36.210]  People were running into some issues and I had to go through and research.
[18:36.210 --> 18:43.390]  And my co and my red team buddy, Steve, he went through there and he like we put all these learning links in there.
[18:43.870 --> 18:47.630]  And like, as you see at the bottom, there's a Kerberos primer, right?
[18:47.630 --> 18:51.730]  That's my fault. But it's my fault that I chose this box.
[18:51.730 --> 18:57.970]  I was looking for password cracking, but I had taken these people that were in helpdesk and I had thrown them into a Kerberos situation.
[18:58.090 --> 19:02.350]  Now, luckily for me, they all kind of did what they needed to do.
[19:02.410 --> 19:12.910]  And they talked to each other, which is great because part of the cohort was forming an internal mesh network of trusted ethical hackers.
[19:12.930 --> 19:17.610]  Not just for me, but for them, too, because it was for me, for the assets, for them.
[19:17.610 --> 19:22.190]  You may not always want to go to the instructor and say, hey, how do I do this for the fifth time?
[19:22.190 --> 19:25.890]  Maybe you want to go to your buddy because you're going to be judged a little bit less for that.
[19:25.890 --> 19:30.430]  So if I could build that trust into the cohort, that's amazing.
[19:30.430 --> 19:34.130]  And that's exactly what happened this week is they all talk to each other.
[19:34.130 --> 19:41.010]  And throughout the week, this portion of the syllabus changed and you had those learning links get added in.
[19:41.010 --> 19:44.310]  You had Kerberos primers popped in.
[19:44.310 --> 19:53.790]  I think by Wednesday, a couple people had downloaded the walkthrough and at least said, I'm going to get some learning out of this, even if I don't understand it.
[19:53.790 --> 19:55.590]  But at the end of the week, everybody did.
[19:56.050 --> 19:59.510]  In fact, paw in the box.
[19:59.710 --> 20:00.630]  So there's Roku.
[20:00.830 --> 20:03.810]  I got some... this is the podcast I chose for this week.
[20:04.830 --> 20:07.830]  And there was actually... I got a lot of really good feedback on that one.
[20:07.830 --> 20:16.630]  So thank you, Dark Knight Diaries, for having a podcast on Roku because they said it helped a lot with how they were going to attack the box.
[20:19.570 --> 20:21.310]  Again, Active is the one we chose.
[20:21.310 --> 20:24.170]  There was a CVE, but then there's some other things you had to do.
[20:24.170 --> 20:25.730]  I'm not going to spoil it for everybody.
[20:27.670 --> 20:30.530]  Week four, we're just getting worse and worse.
[20:30.530 --> 20:33.170]  I chose all these boxes and I was like, this is going to be great.
[20:33.170 --> 20:35.470]  They're going to figure out things pretty quickly.
[20:35.470 --> 20:36.210]  That didn't happen.
[20:36.210 --> 20:38.530]  More learning links had to get added in.
[20:38.530 --> 20:45.450]  And this was just a constant iterative process between myself and the students and my buddy Steve.
[20:46.150 --> 20:47.290]  How are you doing?
[20:47.290 --> 20:48.330]  How's everything going?
[20:48.330 --> 20:50.730]  Okay, so there's going to be some issues here.
[20:50.770 --> 20:53.190]  Let's go ahead and drop a learning link in.
[20:54.150 --> 20:56.810]  Maybe it'll kind of help speed things along.
[20:57.990 --> 21:00.690]  Had to do some living off the land stuff.
[21:00.690 --> 21:10.330]  Again, this week was a little bit interesting, mainly because there was some crazy stuff that happened with this box.
[21:13.890 --> 21:22.950]  And the constant feedback and connection that we had with the cohort was critical from this point forward.
[21:23.050 --> 21:27.270]  This point forward, people were starting to get a little upset.
[21:27.270 --> 21:29.570]  Not upset, but just like frustrated, right?
[21:29.570 --> 21:32.110]  You're not supposed to be frustrated when you're trying to learn stuff.
[21:32.110 --> 21:34.610]  And they were being frustrated for the wrong reasons.
[21:34.610 --> 21:37.770]  They weren't being frustrated because they were being, oh, this is challenging.
[21:37.770 --> 21:43.550]  They were being frustrated for something that they had no control over, this gap in knowledge that I didn't prepare them for.
[21:43.550 --> 21:49.890]  So by having that constant feedback and talking to them throughout the week, we were able to kind of overcome some things.
[21:49.890 --> 21:51.070]  It was a little rough at first.
[21:51.070 --> 21:55.970]  I mean, this is a pilot program, but the next one will be more streamlined.
[21:55.970 --> 22:04.270]  And because this was a Windows PrivEsc lesson, I picked Shamoon, a pretty famous attack.
[22:06.090 --> 22:08.030]  There's a buddy, Optimum.
[22:09.010 --> 22:18.750]  Some CVEs end with this, but what happened after Optimum was complete for that week, and we started talking about week five.
[22:18.750 --> 22:24.770]  You know, like we would show up week four, we'd show up, you know, Fridays for a four hour block.
[22:24.770 --> 22:30.730]  I'd start reviewing off notes and then I'd start trying to talk about what was going to happen for the next week.
[22:31.310 --> 22:33.710]  What happened was this.
[22:34.930 --> 22:38.670]  I got a Slack message from one of the students.
[22:39.670 --> 22:47.030]  And after our lessons had ended, all the students met together and they started talking about feedback and how things could be improved.
[22:47.030 --> 22:49.670]  Now, I could have taken this one of two ways.
[22:49.730 --> 22:55.770]  I'm not trying to, like, you know, have an ego about it or anything, but I could have been really offended by it.
[22:55.770 --> 23:05.670]  But because I was starting to see that the students really, really cared about the program, even though that they were frustrated, they really cared about it.
[23:07.510 --> 23:10.830]  And basically, this feedback was saying, like, we need help.
[23:10.830 --> 23:14.290]  We need help. We need we need some better walkthroughs.
[23:14.290 --> 23:15.930]  We need more direction.
[23:15.930 --> 23:18.170]  We need you to do a better job.
[23:18.310 --> 23:21.650]  And they weren't saying it in a way that was, you suck.
[23:21.650 --> 23:24.330]  It was, we want to make the program better.
[23:24.330 --> 23:24.970]  And I heard them.
[23:25.570 --> 23:28.750]  And as a result of that, I decided to implement something else.
[23:28.750 --> 23:29.830]  I was doing it live.
[23:29.830 --> 23:33.110]  I was going to do what I call a Sherpa op, right?
[23:33.190 --> 23:40.590]  Now, a Sherpa op, like I got the term from Destiny, because you have somebody that's really skilled and doing a raid or something.
[23:40.590 --> 23:47.010]  And they would take, I don't know, five other people through and they would just kind of guide them, right?
[23:47.010 --> 23:48.890]  People that didn't know what they were doing.
[23:48.990 --> 23:50.310]  They were just going to guide them through.
[23:50.310 --> 23:53.690]  So I was like, how can I do that for red teaming?
[23:53.690 --> 23:55.790]  So I came up with this term called Sherpa ops.
[23:55.790 --> 23:56.710]  And that's what we did.
[23:56.710 --> 23:59.970]  So at the start of week five, I was like, guess what, guys?
[24:00.270 --> 24:02.770]  All of us get on target because this is what we're doing.
[24:02.810 --> 24:04.430]  I have not done this box.
[24:04.450 --> 24:06.350]  I will not do this box.
[24:06.990 --> 24:09.590]  We are going to work together, all five of us.
[24:09.590 --> 24:13.130]  Myself included as the Sherpa.
[24:13.370 --> 24:16.650]  And we are going to go through this host together.
[24:16.650 --> 24:19.530]  And I'm going to try to guide you through without ever touching the keyboard.
[24:19.910 --> 24:21.570]  And I had done no research on this.
[24:21.570 --> 24:28.030]  I just thought it was super easy and had a complete total amount of user and root own.
[24:28.030 --> 24:29.950]  So I figured it was probably good to go.
[24:30.010 --> 24:31.450]  I didn't know what we were going to do with it.
[24:31.450 --> 24:32.870]  I didn't know how successful it was.
[24:32.870 --> 24:35.490]  All I knew was that it was a super easy Windows box.
[24:35.490 --> 24:44.150]  And at the end of one hour after we had started, everybody in the group had owned that box.
[24:44.510 --> 24:52.370]  And it was pretty awesome because I was asking them questions and sparking them ideas that they'd scan something.
[24:52.370 --> 24:55.030]  I'd say like, OK, tell me about this.
[24:55.030 --> 24:55.690]  Tell me about this.
[24:55.690 --> 24:56.290]  Tell me about this.
[24:56.290 --> 24:57.210]  They would scan.
[24:57.290 --> 24:59.030]  They would come up with their own ideas.
[24:59.030 --> 24:59.930]  They would give me feedback.
[24:59.930 --> 25:01.610]  And I'd say, OK, that's great.
[25:02.070 --> 25:04.070]  I need the information about this.
[25:04.070 --> 25:04.990]  How would you go find it?
[25:04.990 --> 25:07.750]  And just constant back and forth.
[25:07.750 --> 25:10.130]  It was almost like doing an escape room.
[25:10.130 --> 25:13.310]  Everybody gets their one hero moment in an escape room.
[25:13.310 --> 25:14.670]  That was pretty much the case for this.
[25:14.670 --> 25:17.850]  Everybody got their hero moment where they found one piece of the puzzle.
[25:18.030 --> 25:21.110]  And it was really awesome to help guide them through.
[25:23.150 --> 25:28.370]  It was a good experience because of what came after.
[25:28.370 --> 25:34.410]  It was good to do the Sherpa op, but afterwards when I was doing a feedback session on it, I was like,
[25:34.410 --> 25:35.830]  Hey, what do you guys think?
[25:35.850 --> 25:37.670]  What do you think of the program even?
[25:37.670 --> 25:39.550]  Because this is week five right now.
[25:40.410 --> 25:45.170]  And the feedback that I got is what made me decide to write a white paper about this program.
[25:47.310 --> 25:58.050]  They reported that their co-workers and colleagues were asking when they could apply for the program because they saw what the gorillas were doing.
[26:00.490 --> 26:04.710]  The students tried to find other similar programs at other places.
[26:04.710 --> 26:05.810]  They found nothing.
[26:06.750 --> 26:11.530]  I know that Ofsec has their academy now, but I was there first.
[26:12.770 --> 26:18.650]  But this was a straight up grassroots campaign to bring people into the field.
[26:18.650 --> 26:24.910]  And it started out as a way for the red team to get trusted assets throughout the organization to help fuel ops.
[26:24.910 --> 26:27.770]  But from this point forward, it turned into something else.
[26:27.770 --> 26:32.430]  It turned into this was more important to the students than it was for me.
[26:32.910 --> 26:51.070]  And this was giving them an opportunity to learn some skills, to talk with the red team dude, to ask questions in a non-judgmental environment, to marinate on some of the lessons that were being learned, to struggle and grow together as a group instead of just like one-on-one mentorship.
[26:52.150 --> 26:54.230]  And I was like, I got to write this up.
[26:54.390 --> 26:55.390]  And I did.
[26:55.390 --> 26:57.470]  So the white paper is being released today.
[26:57.470 --> 26:58.790]  So thank you, Sarvery.
[27:00.230 --> 27:04.150]  But after that, I was like, you know what, let's do week five.
[27:04.150 --> 27:04.790]  Let's go.
[27:04.790 --> 27:07.730]  And originally, the box that I picked was Calamity.
[27:07.930 --> 27:10.010]  And I did that.
[27:10.010 --> 27:14.210]  I picked Calamity like the very beginning, not knowing what that was.
[27:14.410 --> 27:23.170]  And a couple of days into that, I was like, y'all need to stop doing that immediately and go do this other box instead, which was Traceback.
[27:23.170 --> 27:29.390]  And I mean, some of the Linux learning links that we placed on there still apply.
[27:30.710 --> 27:33.610]  But I kind of led them into the slaughter on that one.
[27:34.570 --> 27:44.650]  And at this point, we kind of ran out of Darknet Diaries episodes that perfectly lined up with what we needed at the time.
[27:44.650 --> 27:47.510]  So I was like, hey, just listen to these mini-stories, I guess.
[27:51.530 --> 27:53.810]  But Traceback was a lot of fun.
[27:53.810 --> 27:55.990]  Everybody in the cohort pwned it.
[27:56.370 --> 28:03.830]  This was actually supposed to be the first box of the LiveOps, right?
[28:04.110 --> 28:16.850]  LiveOps was a shift in mentality, whereas the first five weeks were work together, succeed together, learn how to do these things,
[28:16.850 --> 28:23.050]  keep doing your op notes, keep learning about Windows, Linux, keep learning about all the offensive tools that are out there,
[28:23.490 --> 28:29.430]  keep challenging yourself, come to me with questions, come to your cohort with questions, just don't stop.
[28:29.430 --> 28:33.530]  If you hit a roadblock, don't just sit there at the roadblock, figure it out.
[28:33.750 --> 28:42.730]  And if all else fails, part of figuring out that roadblock is downloading the walkthrough from HackedBox, which is why we bought the VIP subscriptions in the first place.
[28:43.530 --> 28:53.070]  Week six through nine, well now week five because of Calamity, that was all about, like I bolded right there, work together, succeed individually.
[28:53.070 --> 28:56.090]  This is the struggle phase. This is the break me off phase.
[28:56.090 --> 29:06.770]  This was going to be the phase where people got to see what it was like, just a little taste of being dropped into a live network, and you can't just download the walkthrough.
[29:08.610 --> 29:14.390]  They're going to have to struggle, they're going to have to figure things out on their own, and it's going to suck.
[29:14.490 --> 29:19.430]  Some of the students did very, very well. And I'll give you a slight spoiler alert.
[29:19.510 --> 29:27.590]  I didn't intend to steal people from organizations, but one of these students is now on the red team because of the aptitude that they showed.
[29:28.350 --> 29:34.410]  And some of them, you know, it's to be expected. They hadn't seen these things before, and they struggled because there were knowledge gaps.
[29:34.410 --> 29:44.970]  Like, if you ask me to go do quantum theory, I'm not going to know, I can YouTube some stuff, but I'm not going to be able to talk to you because there's this huge gulf of knowledge that I can't overcome.
[29:44.970 --> 29:51.090]  It's the same thing for some of these students, and you have to recognize when those gulfs hit.
[29:51.530 --> 29:59.450]  Okay, time to take a step back. And that happened during the last weeks of the live ops. I had to redirect one of the students to do something else.
[30:01.090 --> 30:10.010]  So the way that we had set it up was you have to do two easy machines, you have to do one of the easy machines before you can move on to the hard ones, or to the medium ones.
[30:10.010 --> 30:15.930]  For this, it was Traceback and Remote, and because we were doing Traceback instead of Calamity, they already kind of got like a head start.
[30:17.950 --> 30:27.430]  Remote was pretty fun. All the students pwned that one. There was a CD attached to it, and then the actual ProDesk portion was pretty interesting.
[30:27.590 --> 30:33.150]  A lot of research went in to the students. And some of these things aged off.
[30:33.550 --> 30:43.790]  And the reason I chose all the live boxes, like I said, was so that they could get a taste of what it feels like to be in a network and not have any hope.
[30:47.290 --> 30:54.070]  And to get some points to go along with it. Because if you can get some real points, you can go back and say, like, hey, I'm not a script kid anymore, or like, hey, I'm not a noob.
[30:55.650 --> 30:59.730]  But anyway, so I was trying to gamify it as much as I could and get some points.
[30:59.990 --> 31:04.930]  So for the medium boxes, we chose Sauna and Servmon.
[31:06.510 --> 31:13.770]  Servmon was pretty fun, but it was kind of unstable, and I felt like I had to warn people about that because you don't know what you don't know at that point.
[31:13.770 --> 31:19.070]  Some of these people are pretty new. They may think that they're doing the right thing, and the boxes... it wasn't working.
[31:19.330 --> 31:33.690]  So I kind of wanted... I did a little pathfinder thing and went through and just blasted through, like, every easy medium box that I could so that I could kind of guide them and say, like, hey, by the way, on this one Servmon, it's going to be a little bit kind of a pain in the butt.
[31:35.730 --> 31:42.690]  The person that got chosen to come up to the red team completed both of these boxes.
[31:43.650 --> 31:48.990]  Almost everybody completed at least one of these, and one student did not complete either.
[31:49.070 --> 31:56.990]  So that student was pushed to a similar type box, but that had a walkthrough instead.
[31:56.990 --> 31:59.590]  And that didn't really happen until about week 8 or 9.
[32:01.670 --> 32:11.230]  So from this point on, like, the cadence for during the live op sections went from, hey, these are learning links to let's talk about what challenges you're running into.
[32:11.230 --> 32:15.330]  Let me see your op notes, even if they're not finished, like, upload them, let me look at them.
[32:15.450 --> 32:17.030]  Let's take a look at these things.
[32:17.810 --> 32:23.370]  So it turned into more of like a red team discussion and not so much as a lecture during the second half.
[32:23.390 --> 32:28.890]  Nobody made it to any of these, so I don't even know if we'll have the challenge boxes in during the next iteration.
[32:30.150 --> 32:37.970]  But at the end of 9 weeks, this is one of the op notes from one of the boxes, I forget which one it was.
[32:38.150 --> 32:45.490]  We went from somebody that had never done red teaming before, never done anything closely related to it.
[32:46.450 --> 32:49.490]  And at the end of 9 weeks, they were producing op notes like this.
[32:49.510 --> 32:52.710]  And this is not the person that was chosen to be on the red team.
[32:52.710 --> 32:54.690]  This is from one of the other operators.
[32:56.790 --> 33:02.210]  Just from this small snippet, you're able to tell, hey, I understand what the narrative is.
[33:02.370 --> 33:05.130]  I understand what they tried. I understand what they were thinking.
[33:05.370 --> 33:08.110]  Most of the op notes look like this by the end of 9 weeks.
[33:08.270 --> 33:12.790]  And this was a huge pain point that I kept harping on, and that was constant every week.
[33:12.790 --> 33:14.510]  Let me see your op notes, op notes, op notes.
[33:14.750 --> 33:18.490]  But these students can take this methodology with them.
[33:18.490 --> 33:21.850]  I mean, I even made an op note template generator for them.
[33:21.850 --> 33:25.990]  But the methodology here is now they are in their brain.
[33:25.990 --> 33:31.030]  If they do op, so they do hack the box, they're going to have their op notes up.
[33:31.030 --> 33:36.110]  If they try to do OSCP, they're going to be taking op notes now.
[33:36.190 --> 33:39.550]  They will understand where they've been, what they're trying to do.
[33:39.690 --> 33:44.170]  And maybe if they're stuck on something, they go back, they read their own narrative.
[33:44.170 --> 33:45.970]  They say, oh, yeah, I should try that.
[33:45.970 --> 33:52.850]  And to me, that was the most critical part of this for teaching these junior operators, these guerrilla operators how to fish.
[33:54.010 --> 33:56.590]  So at the end of the nine weeks, the cohort was over.
[33:56.670 --> 34:07.730]  I sent out the same exact questions that I had at the start of the cohort just to see where they thought they were.
[34:07.730 --> 34:10.670]  So on the left is the preflight survey that I had.
[34:10.670 --> 34:12.730]  And then on the left is the exit survey.
[34:12.730 --> 34:17.850]  So it looks like a pretty good increase with Windows networking.
[34:19.590 --> 34:23.630]  Great increase, actually, with the Windows networking.
[34:23.630 --> 34:26.570]  A lot of people really understood SMB a lot more.
[34:29.610 --> 34:32.690]  Similar situations with the Linux stuff.
[34:32.690 --> 34:36.270]  Pretty big increases with the Linux operating system.
[34:36.270 --> 34:40.110]  Comfort with Linux networking was pretty good.
[34:40.730 --> 34:46.870]  And then just what they thought, what they wanted to get out of the experience on the left.
[34:46.870 --> 34:51.050]  And then what they kind of felt like they did get out of the experience on the right.
[34:52.970 --> 34:55.850]  A lot of... I mean, it was pretty Windows heavy.
[34:55.850 --> 34:59.950]  So that's probably why the majority of the Windows stuff went up.
[35:01.330 --> 35:09.050]  But on the right, you're going to see a lot of people talk about how the methodologies, the recon,
[35:09.050 --> 35:15.190]  like the second comment there, putting theoretical knowledge in the test and then applying it,
[35:16.310 --> 35:18.030]  how to research, things like that.
[35:18.030 --> 35:21.310]  These are all the core things that I was trying to do.
[35:21.390 --> 35:27.790]  And at the start of my preflight survey, at the beginning of the thing, or I'm sorry, on my application process,
[35:27.790 --> 35:32.070]  I said, what this is, it's a chance to hang out with a red teamer and talk shop.
[35:32.070 --> 35:33.910]  What this isn't is an internship.
[35:33.910 --> 35:38.990]  So this feedback is actually exactly what I was looking for.
[35:38.990 --> 35:41.570]  And it could be streamlined a little bit better, 100%.
[35:41.570 --> 35:45.610]  I'm sure there's other people that if you take this program and you do it, you're going to do it better than I will.
[35:45.610 --> 35:47.810]  And that's awesome. Please publish that.
[35:47.850 --> 35:50.570]  But really, it's all about just like upskilling people.
[35:51.390 --> 35:58.770]  And if you have those upskilled assets throughout the organization, you have your security IQ is also raised as well.
[35:58.890 --> 36:02.850]  So it doesn't just benefit you, it benefits the whole business.
[36:02.850 --> 36:06.750]  And I just wanted to put this in here because I'm about to show all these noobs.
[36:07.030 --> 36:11.610]  I want to show that all six of them have said that, yes, I can use their picture.
[36:12.090 --> 36:17.950]  So this is the absolute cohort right here. And the biggest noob is up there in the top right.
[36:19.170 --> 36:24.350]  I was with this group for nine weeks. We still talk discord all the time.
[36:24.350 --> 36:29.610]  We still talk shop, even though the cohort has been over for about a month and a half now.
[36:29.610 --> 36:33.810]  It was great. It was an awesome opportunity.
[36:33.950 --> 36:40.870]  And I feel like some of these people are going to go forward and probably become InfoSec professionals.
[36:40.930 --> 36:45.950]  Some of these people may choose to go a different route, but they're always going to have that security mindset.
[36:46.270 --> 36:50.490]  Right. They got to see what an attacker looks like because they were one at some point.
[36:51.970 --> 36:56.410]  But wait, there's more, because I said that there were two phases to this.
[36:56.410 --> 37:06.190]  So phase two is the guerrilla red team aspect. Phase two came to me when I was actually writing up the paper for phase one.
[37:06.370 --> 37:12.150]  Right. I was writing up this paper. Like I said, the original intent was we're going to upskill people.
[37:12.190 --> 37:16.050]  Security IQ assets are going to be great. It's going to be awesome.
[37:16.050 --> 37:24.730]  But I was writing up the paper. I was like, we have these low tier trained, trusted adversaries in our network now.
[37:25.830 --> 37:34.270]  And at the same time, we also have these tools that we spend a lot of money on that say, oh, yeah, like we're going to go after the advanced adversary.
[37:34.270 --> 37:42.070]  It's going to protect you from the advanced adversary because all these low tier script KDAs are just going to get blasted straight out of the window by all these other tools.
[37:42.070 --> 37:47.570]  And you're protected. So I was thinking, you know, like, let's test that.
[37:49.250 --> 37:56.210]  Because I just spent nine weeks training these people. And at their core, like they're low tier actors, right?
[37:56.210 --> 38:00.590]  There's the script KDAs there. And more than that, they're trusted script KDAs.
[38:00.950 --> 38:07.190]  And I know that if I give them something to do, they're going to execute on it. They're going to take notes on it.
[38:07.190 --> 38:11.470]  I'll be able to deconflict with them. I was like, man, let's try it like this.
[38:11.470 --> 38:15.750]  The idea made so much sense to me. I was like, we just train these people. Let's let's use them.
[38:15.750 --> 38:20.710]  That's where the two phases came in. We upskill the assets, and now we're going to unleash hell on them.
[38:20.710 --> 38:23.650]  So I had to come up with this way to sell it because I had to sell it to everybody.
[38:23.650 --> 38:28.130]  I had to figure out how are we going to decentralize these adversaries?
[38:28.430 --> 38:30.890]  How are we going to arm these guerrillas?
[38:32.030 --> 38:40.710]  If the red team is the Green Berets, and these people that we just spent nine weeks training are the local indigenous population that now know how to shoot a gun.
[38:41.270 --> 38:44.650]  How do I get them a gun? How do I get them a target to attack?
[38:44.650 --> 38:48.590]  That was my problem to figure out. And I was like, I got to figure this out right now.
[38:49.130 --> 38:51.310]  And I got to incorporate this into my paper.
[38:52.970 --> 38:56.870]  So here's the guerrilla red team right here. This is what it is at its core.
[38:57.770 --> 39:04.890]  And just like I talked about, you have all these EDR platforms that say, oh, we'll protect you from all this stuff.
[39:04.890 --> 39:08.370]  Advanced sandboxing. EDR is essential.
[39:08.370 --> 39:15.870]  You have this EDR maturity model. We have AI built in and stuff.
[39:15.870 --> 39:20.250]  OK, let's see if you can kick off some low tier actors.
[39:21.870 --> 39:25.590]  So this is the flowchart that I came up with this, and I'm going to walk through it real quick.
[39:25.590 --> 39:28.510]  This is the guerrilla red team phase two flowchart.
[39:30.230 --> 39:37.190]  And before I really get into it, I just want to just kind of walk through just a brief how a guerrilla red team works.
[39:37.190 --> 39:42.350]  You train up, you upskill the guerrillas, right? That's the red team dev program. That's phase one.
[39:42.470 --> 39:46.630]  Phase two is the red team retains control of these assets.
[39:46.930 --> 39:49.390]  But to arm them, what does that mean exactly?
[39:49.390 --> 39:53.970]  Arming means you have to provide them with a way to attack, right?
[39:54.210 --> 39:58.010]  So that means you have to provide them with a platform to attack from.
[39:58.010 --> 40:01.470]  And you have to provide them with the ammunition to attack with.
[40:01.470 --> 40:07.550]  To translate that into cyber is basically you have to provide them an ops box to shoot from.
[40:07.650 --> 40:11.670]  And you have to give them credentials to shoot with.
[40:11.670 --> 40:22.590]  Because they may not be able to pop a box, but they can probably exploit a box with credentials.
[40:22.610 --> 40:27.510]  So now at this point, what do those credentials look like?
[40:27.510 --> 40:30.890]  Okay, those are probably basically canary credentials.
[40:31.950 --> 40:34.970]  I'm going to have to form some partnership with Helpdesk now.
[40:35.230 --> 40:45.170]  Some high-level partnership with the stakeholders so that we can get these certain credentials that are inactive to be used during the op.
[40:45.970 --> 40:47.870]  By the way, what does that look like?
[40:47.870 --> 40:50.630]  Let's keep the same cadence, four hours.
[40:50.630 --> 40:53.730]  Do four hours once a month per guerrilla operator.
[40:53.730 --> 40:59.850]  Okay, so for four hours once a month, instead of doing hack the box, they're going to do hacker network.
[41:00.450 --> 41:03.450]  And the red team is going to have to figure out a way to maintain control of that.
[41:03.450 --> 41:05.430]  So let's walk through how this is.
[41:05.550 --> 41:07.790]  So I call it an arms delivery, right?
[41:07.790 --> 41:10.010]  Does the guerrilla operator have an arms delivery?
[41:10.010 --> 41:12.490]  If the answer is no, they go to the space.
[41:12.810 --> 41:20.170]  So they're going to submit something that they want, an op plan, which is like this is a singular target that we want to attack.
[41:20.170 --> 41:29.750]  The red team is going to conduct safety checks on it to see, you know, make sure you're not like trying to pop the CEO's box or something, or you're going to take down some super critical production asset.
[41:29.890 --> 41:35.350]  They are not there to say yes or no to what the target is.
[41:35.350 --> 41:39.070]  The red team is there to say yes or no, this is safe.
[41:39.930 --> 41:45.990]  The red team is not allowed to say yes or no to what the target is because we're decentralizing the adversary.
[41:45.990 --> 41:53.470]  The red team might not see this particular target as worthwhile, but this guerrilla might.
[41:53.810 --> 41:57.990]  So if you're going to put all your EDR platforms on something that doesn't seem...
[41:58.950 --> 42:08.850]  If you're going to put your EDR platforms on something, on all your crown jewels, but you leave this other thing over here just open, maybe the guerrilla goes after that instead because they just want to, right?
[42:08.850 --> 42:12.790]  So that's part of the decentralization or decentralized process.
[42:12.790 --> 42:16.750]  Anyway, if it gets approved, we go into the arming phase, right?
[42:16.750 --> 42:21.470]  The red team will request accounts from the help desk or whoever it is.
[42:21.550 --> 42:23.890]  If they get approved, they will be held in trust.
[42:23.890 --> 42:29.210]  Like for our example, we're going to hold them in LastPass, right?
[42:29.210 --> 42:30.470]  But they'll be inactive.
[42:30.470 --> 42:36.650]  So you have like 10 accounts with varying sets of permissions, inactive, ready to go, right?
[42:36.650 --> 42:38.150]  And that requires a relationship.
[42:38.150 --> 42:44.330]  So if you're on a red team and you want to do this, you better start learning how to talk to people because you should be doing that anyway.
[42:44.370 --> 42:48.190]  But you're going to have to build a relationship and sell this thing.
[42:48.790 --> 42:52.850]  Anyway, so your credentials, you're going to build your target package.
[42:53.070 --> 42:54.350]  So what does that look like?
[42:54.350 --> 42:55.470]  That's credentials.
[42:55.530 --> 42:57.710]  You siphon off one of the credentials.
[42:57.850 --> 43:03.150]  You build them in EC2 instance that has a public IP or that is peered internally.
[43:03.470 --> 43:06.150]  You generate some SSH keys just for them.
[43:06.150 --> 43:09.730]  You push your creds and the keys to S3.
[43:09.750 --> 43:11.210]  It's locked down.
[43:11.270 --> 43:14.010]  The attack host is like sitting there waiting to go.
[43:14.030 --> 43:19.390]  All that is required now is for them to schedule their op for their four hours.
[43:19.510 --> 43:22.330]  So at this point, they've submitted something they want to attack.
[43:22.330 --> 43:28.690]  And that can come from like the red team can provide that list and say pick one of these 10 things because they're the most vulnerable.
[43:28.690 --> 43:36.410]  Like if you have a vulnerability management platform and you can pull that list, you can get an idea of whether or not it's going to be super hard or not.
[43:36.410 --> 43:38.550]  And you can just kind of farm this out through the gorillas.
[43:40.470 --> 43:44.250]  But you provide like, OK, here's what you're going to attack.
[43:44.250 --> 43:46.390]  Here's the cred you're going to use to attack it with.
[43:47.850 --> 43:52.490]  And here's your security mechanisms to get on this host.
[43:52.690 --> 43:56.950]  So now you need to schedule an arms delivery, which you have done.
[43:56.950 --> 44:00.390]  So now we go to the second phase of the flowchart.
[44:00.390 --> 44:02.470]  So, yes, the arms delivery is scheduled.
[44:03.050 --> 44:09.210]  Now, the day of the op, when it's scheduled, the gorilla is going to give you an IP address.
[44:09.550 --> 44:14.030]  And you as the red team are going to have to submit this IP address for whitelisting.
[44:14.450 --> 44:18.690]  You as the red team are going to have to notify helpdesk to make the account active.
[44:18.870 --> 44:22.050]  And there are automation steps in here all over the place.
[44:22.050 --> 44:27.330]  The more that you can automate this with Lambda or whatever, the better.
[44:28.910 --> 44:34.650]  But you know you're going to notify helpdesk, hey, I need you to make this account active in an hour or 30 minutes or something.
[44:34.650 --> 44:42.310]  They make it active. And then you go to EC2, whitelist that IP in the security groups.
[44:42.310 --> 44:47.890]  You go to S3, you can either figure out a way to whitelist the IP in S3 or generate a pre-signed URL
[44:47.890 --> 44:54.010]  and just give that to the gorilla so that they can pull down their target package.
[44:54.210 --> 45:02.150]  And maybe that pre-signed URL only lasts four hours, which is what we said we were going to do anyway.
[45:02.170 --> 45:08.110]  So you give it to them. You say, hey, man, it's 10 o'clock. I need you to pull down this and get ready to go.
[45:08.110 --> 45:13.990]  It's going to have your SSH keys to get into your ops box. Here's your target. Have fun.
[45:14.710 --> 45:22.090]  So they download the target package from S3. They connect to the host. They conduct their op for four hours.
[45:22.090 --> 45:27.070]  They're probably going to make a whole hell of a lot of noise. They're going to set off a lot of alarms.
[45:27.070 --> 45:33.970]  And then at the end of four hours, automation kicks in, security group blacklist or not blacklist,
[45:33.970 --> 45:41.210]  but their whitelist IP gets removed from the security group and they lose access to the box.
[45:41.210 --> 45:53.550]  And the op is over. Now, even if they weren't successful, even if the creds worked, but they couldn't get on anything at all,
[45:53.550 --> 46:00.050]  some random box in the network just got hit with some random account.
[46:01.030 --> 46:06.430]  And maybe the EDR caught the malware that they were trying to put on. Maybe it didn't.
[46:06.430 --> 46:11.290]  Maybe they just got on the box and it's like did a bunch of surveys or something.
[46:12.110 --> 46:15.650]  And by the way, like also the red team would put similar to hack the box.
[46:15.650 --> 46:23.230]  We would put user.txt and root.txt on the box as well to kind of simulate Sentinel data being stolen.
[46:23.990 --> 46:29.110]  It still gamifies it a little bit. So if they were able to get their user.txt and their root.txt.
[46:29.770 --> 46:33.590]  But even if none of that happened and they just set off a whole hell of a lot of alerts,
[46:33.590 --> 46:43.030]  think about that. Some random box that was just attacked by some random low tier person that's just making all kinds of noise.
[46:43.150 --> 46:47.430]  What's the blue team going to do with that, right? Are they going to treat it like real?
[46:47.430 --> 46:51.330]  Because that doesn't really fit the TTPs of the red team, which is typically stealthy.
[46:51.330 --> 46:57.110]  This is noisy. This is nasty. So it's a good training opportunity for everybody, really.
[46:57.450 --> 47:02.530]  The gorillas get it. You know, they get to sweat a little bit by like trying not to kick over a production box.
[47:02.530 --> 47:16.170]  The blue team gets to do some deconfliction. And if the EDR doesn't pick up anything, well, then you need to reevaluate your EDR because some low tier people just like kick down the front door.
[47:16.690 --> 47:26.470]  And like, that's a problem. And you should know that from a trusted source and not like getting ransomware in your entire network.
[47:26.610 --> 47:31.670]  But anyway, so after the op is over, the gorilla submits the notes to the red team.
[47:31.670 --> 47:38.090]  We debrief the gorilla and we store the op notes for deconfliction. I have a whole deconfliction process set up at my red team.
[47:38.690 --> 47:43.130]  And we just kind of wait for those things to come in. And then here's the fun part.
[47:45.250 --> 47:52.870]  Once that is done, the ops platform doesn't always have to be a Kali box. It could be a Windows box. It could be anything.
[47:52.870 --> 48:02.190]  But once it's done, you power off the EC2 and you take the hard disk and you image it.
[48:04.170 --> 48:07.030]  And what you do with that is you give it to the blue team.
[48:07.310 --> 48:11.990]  And it's up to the blue team to decide whether or not they want to do forensics training on it.
[48:12.290 --> 48:15.890]  They can do response training as the gorilla is banging around the network.
[48:15.890 --> 48:21.810]  But if they want to do forensics training, they have this image of a low tier actor with all their tools and stuff on there.
[48:21.810 --> 48:29.350]  And I'm sure there's... I had thoughts of maybe putting all kinds of logging and everything turned on in the ops box so that they could go find those.
[48:29.710 --> 48:32.950]  And then the blue team would have to go make the compromised account active.
[48:32.950 --> 48:38.550]  And if they don't do it within a certain amount of time, then the red team has that relationship with helpdesk already built in.
[48:39.310 --> 48:44.270]  But really, this whole process accomplishes so many things.
[48:44.350 --> 48:48.850]  And when I talk about decentralizing the adversary, here's what it accomplishes.
[48:48.850 --> 48:54.530]  It doesn't mean to decentralize in the physical sense.
[48:54.650 --> 48:58.830]  Like just because your operator is in Arizona, and they're attacking something in New York.
[48:58.830 --> 49:02.830]  Yes, that is one type of decentralization, but you're decentralizing TTPs.
[49:02.950 --> 49:05.630]  You're decentralizing target selection.
[49:05.750 --> 49:08.310]  You are decentralizing all sorts of things.
[49:08.750 --> 49:13.650]  And you're doing that by giving it to somebody that maybe writes their op notes a little bit differently.
[49:13.650 --> 49:17.730]  You tell them one thing, but their brain interprets it as something else.
[49:17.730 --> 49:23.610]  And they make their own set of op notes, not in any way that you had ever thought to even make them.
[49:23.870 --> 49:25.390]  People think differently.
[49:25.390 --> 49:27.990]  And at the end of the day, it is a person that's behind the keyboard.
[49:27.990 --> 49:38.530]  So if you can get as many variables into your network as possible in a controlled manner, that's just going to make your security program even stronger.
[49:38.770 --> 49:43.370]  And at the end of the day, you might also spin up some red teamers in the process.
[49:43.370 --> 49:48.990]  And they're going to come to you, or they're going to bring new life into the community.
[49:49.150 --> 49:53.690]  And I'll tell you, the only thing that this program really cost to do was time.
[49:53.690 --> 49:59.830]  It didn't cost thousands of dollars to do this. It cost my time, and it cost the time of the people that were in the program.
[50:01.630 --> 50:03.050]  So what's next?
[50:03.050 --> 50:10.450]  Well, unfortunately, I couldn't actually talk about the guerrilla ops that we are doing currently because they're still in progress.
[50:10.450 --> 50:17.030]  And I wanted to have a little bit more data to say, yes, these work, or no, they don't work, or we had to change these aspects.
[50:17.230 --> 50:21.650]  Maybe that'll be the 2021 talk, like guerrilla red team year two. I don't know.
[50:22.290 --> 50:28.430]  But what's next is we're going to continue to try to automate a lot of the build out process for arming the guerrillas.
[50:29.710 --> 50:34.690]  Trying to maybe automate some of the target generation.
[50:35.510 --> 50:41.810]  Just more of the processes of what we do with the platform, how we get things to the guerrillas.
[50:42.450 --> 50:50.110]  That's what we're going to try to do, is just keep testing it, gathering metrics and stuff, all that boring red team manager stuff.
[50:50.610 --> 50:53.770]  So that we can see how much of a business impact it actually did have.
[50:53.770 --> 51:02.070]  But at the end of the day, for the capital investment that was required for this, I imagine it's probably going to have significant return on investment.
[51:02.070 --> 51:08.090]  Because, I mean, it didn't cost anything. It cost like less than $100 per person for nine weeks.
[51:10.250 --> 51:14.070]  So I want to give a couple shout outs to that. That pretty much is the end of my talk.
[51:15.130 --> 51:20.810]  Remember phase one was the red team dev program. You upskill the assets. Phase two is in progress.
[51:20.810 --> 51:28.090]  The guerrilla red team, you let them loose on the network to decentralize as much of that thought and brain power as you can.
[51:28.570 --> 51:36.770]  Shout outs. I want to thank Cybrary for giving me a platform to write my paper and to work with me on everything.
[51:38.050 --> 51:41.330]  I had never done a white paper before and they were awesome to work with.
[51:41.330 --> 51:49.490]  So if you have anything that you want to talk about, they really help you out getting your thoughts on paper and editing and everything else.
[51:50.510 --> 51:57.350]  I want to thank Mr. Omar also for letting me slide into his DMs and like the last minute to get this talk approved.
[51:57.350 --> 52:04.390]  Because as I was writing it up, I was like, I really, really, really want to talk about this guerrilla aspect.
[52:04.450 --> 52:09.350]  Because I think it could change how a red team arms itself.
[52:09.350 --> 52:16.670]  You have your professionals and then you have these low tier assets that you've trained and they're supposed to be low tier.
[52:16.730 --> 52:23.250]  Like low tier ain't so bad. Like I said earlier, it's low tier is good if you have the right controls in place.
[52:23.250 --> 52:24.870]  So thank you Omar for letting me in.
[52:26.210 --> 52:30.290]  I want to thank the ABSOL cohort for sticking with me through this pilot process.
[52:30.770 --> 52:34.150]  I definitely should have streamlined it a little bit better.
[52:34.150 --> 52:43.330]  But because of your feedback, I've I think I've been able to make it a better place for the next cohort.
[52:44.130 --> 52:47.790]  And all of them have said that they want to decide to stay on as fellows.
[52:47.850 --> 52:53.270]  So we're going to continue to talk and I look forward to seeing how they grow.
[52:53.910 --> 53:01.110]  I want to thank Hack the Box for having a platform in which we could host a training platform on our own ad hoc.
[53:01.330 --> 53:06.210]  And I want to thank Darknet Diaries for being like one of the only hacking podcasts that I could find.
[53:06.370 --> 53:10.550]  And it was actually it's actually good. It's not just good because it's the like one of the only ones.
[53:10.550 --> 53:12.730]  It's good because it's good. So thank you for that.
[53:15.390 --> 53:19.010]  So thank you for walking through this whole process with me.
[53:19.010 --> 53:22.490]  It's been a lot. Phase one, phase two, a lot of talk.
[53:22.490 --> 53:26.050]  It's all about how to upscale and unleash assets.
[53:27.730 --> 53:34.630]  And that is the Guerrilla Red team. So if you have any questions, please feel free to reach out to me on Twitter.
[53:34.870 --> 53:42.830]  Then I think I'll be in Discord for a little bit to do some Q&A on this if anybody has any questions, but really take this and run with it.
[53:42.830 --> 53:46.550]  I have an op note generator if you want to steal it on my GitHub.
[53:46.970 --> 53:54.750]  It uses PyCharm. I'm sorry, it uses Sublime and JSON file.
[53:54.750 --> 54:00.330]  And you just all you got to do is plug a couple of things in and it crops out like really good op note template for you.
[54:00.330 --> 54:03.310]  It makes a bunch of folders and stuff, so it's easy to categorize.
[54:03.490 --> 54:05.550]  But other than that, just please feel free to reach out.
[54:05.550 --> 54:12.430]  And I hope that somebody takes this and just like makes it awesome, even more so than I made it awesome.
[54:12.430 --> 54:18.590]  But I really would like to see it spread because getting people into the field outside of the federal pipeline is hard.
[54:18.710 --> 54:25.670]  And if we could do this at the grassroots level, not only does the red team win, but the people win, which is what's important.
[54:26.010 --> 54:31.970]  And if the people win, the business wins too. I have to say that, but the people win the most.
[54:31.970 --> 54:36.770]  And that's what it's all about. So thank you. My name is Chris and take care.
